{
  config,
  lib,
  ...
}:
with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.paperless;
in {
  imports = [./container.nix];

  options.pub-solar.paperless = {
    enable = mkEnableOption {default = false;};
    openFirewall = mkEnableOption (lib.mdDoc "opening of the relay port(s) in the firewall");

    domain = mkOption {
      type = types.str;
      default = "paperless.local";
    };

    hostStateDir = mkOption {
      type = types.str;
      default = "/var/lib/paperless-container";
    };

    listenPort = mkOption {
      type = types.int;
      default = 80;
    };

    # ftp
    ftp = {
      enable = mkEnableOption (lib.mdDoc ''enable vsftpd ftp service'');
      listenPort = mkOption {
        type = types.int;
        default = 21;
      };
      pasvMinPort = mkOption {
        type = types.int;
        default = 20021;
      };
      pasvMaxPort = mkOption {
        type = types.int;
        default = 22021;
      };
    };

    # nextcloud
    nextcloud = {
      enable = mkEnableOption (lib.mdDoc ''enable backup to nextcloud'');
    };
  };

  config = mkIf cfg.enable {
    networking.firewall = {
      allowedTCPPorts = [
        cfg.listenPort
        cfg.ftp.listenPort
      ];

      allowedTCPPortRanges = [
        {
          from = cfg.ftp.pasvMinPort;
          to = cfg.ftp.pasvMaxPort;
        }
      ];
    };

    services.nginx = {
      enable = true;
      virtualHosts."${cfg.domain}" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:8899";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_read_timeout 300s;
            proxy_set_header Host ''$host;
            proxy_set_header X-Forwarded-For ''$remote_addr;
          '';
        };
      };
    };
  };
}